No recovery for credit monitoring costs after data breach

Pisciotta v. Old National Bancorp, No. 06-3817, — F.3d —-, (7th Cir. August 23, 2007)

Defendant Old National Bank had a website through which it gathered numerous fields of confidential information about its customers, and it stored that information in a database. After a hacker compromised the system and gained access to the confidential customer information, two of the bank’s customers filed suit in an Indiana federal court, alleging breach of contract and negligence. They sought recovery not of any actual loss suffered from the security breach (e.g., amounts drained from the accounts), but instead sought to be reimbursed for future credit monitoring services.

The bank answered the complaint and moved for judgment on the pleadings under Fed. R. Civ. P. 12(c). The court granted the motion, holding that the alleged damages were not cognizable under Indiana law. The plaintiffs sought review with the Seventh Circuit Court of Appeals, which affirmed the dismissal of the action.

The court observed that there was essentially no authority providing guidance on how the issue should be resolved under Indiana law. (The district court sitting in diversity was required to apply the law of the state in which it sits — Indiana.) Part of the analysis, however, relied on a recently enacted Indiana statute dealing with data breaches. Under that statute [I.C. 24-4.9 et seq.], under certain circumstances, if a bank becomes aware of a compromise in its security, it must notify its customers. The only cause of action available under the statute lies with the government, as the attorney general is authorized to pursue civil actions against non-compliant banks. Private individuals are not entitled to recovery under the statute.

The lack of any affirmative right to recover the costs of prospective credit monitoring services in the statute contributed to the court’s decision to hold that none should be available at common law. Given the absence of any state authority directly addressing the point, the federal court declined to implement such a “substantial innovation” on a question of state law.

Opinion appears below (or click through if it’s not showing up in the RSS feed):